diff --git a/BUILD b/BUILD
index 4892aa92e26..2ff563e1048 100644
--- a/BUILD
+++ b/BUILD
@@ -1811,6 +1811,7 @@ grpc_cc_library(
hdrs = [
"src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.h",
"src/core/ext/xds/xds_channel_args.h",
+ "src/core/lib/security/certificate_provider.h",
"src/core/lib/security/context/security_context.h",
"src/core/lib/security/credentials/alts/alts_credentials.h",
"src/core/lib/security/credentials/composite/composite_credentials.h",
diff --git a/BUILD.gn b/BUILD.gn
index 7992a11f1ee..2f193cf4bc9 100644
--- a/BUILD.gn
+++ b/BUILD.gn
@@ -799,6 +799,7 @@ config("grpc_config") {
"src/core/lib/security/authorization/mock_cel/evaluator_core.h",
"src/core/lib/security/authorization/mock_cel/flat_expr_builder.h",
"src/core/lib/security/authorization/mock_cel/statusor.h",
+ "src/core/lib/security/certificate_provider.h",
"src/core/lib/security/context/security_context.cc",
"src/core/lib/security/context/security_context.h",
"src/core/lib/security/credentials/alts/alts_credentials.cc",
diff --git a/build_autogenerated.yaml b/build_autogenerated.yaml
index aea2c9bcd51..58f4c19e20d 100644
--- a/build_autogenerated.yaml
+++ b/build_autogenerated.yaml
@@ -660,6 +660,7 @@ libs:
- src/core/lib/security/authorization/mock_cel/evaluator_core.h
- src/core/lib/security/authorization/mock_cel/flat_expr_builder.h
- src/core/lib/security/authorization/mock_cel/statusor.h
+ - src/core/lib/security/certificate_provider.h
- src/core/lib/security/context/security_context.h
- src/core/lib/security/credentials/alts/alts_credentials.h
- src/core/lib/security/credentials/alts/check_gcp_environment.h
diff --git a/gRPC-C++.podspec b/gRPC-C++.podspec
index 2ba4d53a57b..308c56a7b50 100644
--- a/gRPC-C++.podspec
+++ b/gRPC-C++.podspec
@@ -523,6 +523,7 @@ Pod::Spec.new do |s|
'src/core/lib/security/authorization/mock_cel/evaluator_core.h',
'src/core/lib/security/authorization/mock_cel/flat_expr_builder.h',
'src/core/lib/security/authorization/mock_cel/statusor.h',
+ 'src/core/lib/security/certificate_provider.h',
'src/core/lib/security/context/security_context.h',
'src/core/lib/security/credentials/alts/alts_credentials.h',
'src/core/lib/security/credentials/alts/check_gcp_environment.h',
@@ -1022,6 +1023,7 @@ Pod::Spec.new do |s|
'src/core/lib/security/authorization/mock_cel/evaluator_core.h',
'src/core/lib/security/authorization/mock_cel/flat_expr_builder.h',
'src/core/lib/security/authorization/mock_cel/statusor.h',
+ 'src/core/lib/security/certificate_provider.h',
'src/core/lib/security/context/security_context.h',
'src/core/lib/security/credentials/alts/alts_credentials.h',
'src/core/lib/security/credentials/alts/check_gcp_environment.h',
diff --git a/gRPC-Core.podspec b/gRPC-Core.podspec
index db4a2ff0a44..efa2d132f29 100644
--- a/gRPC-Core.podspec
+++ b/gRPC-Core.podspec
@@ -854,6 +854,7 @@ Pod::Spec.new do |s|
'src/core/lib/security/authorization/mock_cel/evaluator_core.h',
'src/core/lib/security/authorization/mock_cel/flat_expr_builder.h',
'src/core/lib/security/authorization/mock_cel/statusor.h',
+ 'src/core/lib/security/certificate_provider.h',
'src/core/lib/security/context/security_context.cc',
'src/core/lib/security/context/security_context.h',
'src/core/lib/security/credentials/alts/alts_credentials.cc',
@@ -1433,6 +1434,7 @@ Pod::Spec.new do |s|
'src/core/lib/security/authorization/mock_cel/evaluator_core.h',
'src/core/lib/security/authorization/mock_cel/flat_expr_builder.h',
'src/core/lib/security/authorization/mock_cel/statusor.h',
+ 'src/core/lib/security/certificate_provider.h',
'src/core/lib/security/context/security_context.h',
'src/core/lib/security/credentials/alts/alts_credentials.h',
'src/core/lib/security/credentials/alts/check_gcp_environment.h',
diff --git a/grpc.gemspec b/grpc.gemspec
index 698e6dad6ed..116cfc602b4 100644
--- a/grpc.gemspec
+++ b/grpc.gemspec
@@ -772,6 +772,7 @@ Gem::Specification.new do |s|
s.files += %w( src/core/lib/security/authorization/mock_cel/evaluator_core.h )
s.files += %w( src/core/lib/security/authorization/mock_cel/flat_expr_builder.h )
s.files += %w( src/core/lib/security/authorization/mock_cel/statusor.h )
+ s.files += %w( src/core/lib/security/certificate_provider.h )
s.files += %w( src/core/lib/security/context/security_context.cc )
s.files += %w( src/core/lib/security/context/security_context.h )
s.files += %w( src/core/lib/security/credentials/alts/alts_credentials.cc )
diff --git a/package.xml b/package.xml
index c896bbe0f2d..66bcccb9f69 100644
--- a/package.xml
+++ b/package.xml
@@ -752,6 +752,7 @@
+
diff --git a/src/core/lib/security/certificate_provider.h b/src/core/lib/security/certificate_provider.h
new file mode 100644
index 00000000000..5a9af3d615e
--- /dev/null
+++ b/src/core/lib/security/certificate_provider.h
@@ -0,0 +1,59 @@
+//
+//
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+#ifndef GRPC_CORE_LIB_SECURITY_CERTIFICATE_PROVIDER_H
+#define GRPC_CORE_LIB_SECURITY_CERTIFICATE_PROVIDER_H
+
+#include
+
+#include "src/core/lib/gprpp/ref_counted_ptr.h"
+#include "src/core/lib/iomgr/pollset_set.h"
+
+// TODO(yashkt): After https://github.com/grpc/grpc/pull/23572, remove this
+// forward declaration and include the header for the distributor instead.
+struct grpc_tls_certificate_distributor;
+
+// Interface for a grpc_tls_certificate_provider that handles the process to
+// fetch credentials and validation contexts. Implementations are free to rely
+// on local or remote sources to fetch the latest secrets, and free to share any
+// state among different instances as they deem fit.
+//
+// On creation, grpc_tls_certificate_provider creates a
+// grpc_tls_certificate_distributor object. When the credentials and validation
+// contexts become valid or changed, a grpc_tls_certificate_provider should
+// notify its distributor so as to propagate the update to the watchers.
+struct grpc_tls_certificate_provider
+ : public RefCounted {
+ public:
+ grpc_tls_certificate_provider()
+ : interested_parties_(grpc_pollset_set_create()) {}
+
+ virtual ~grpc_tls_certificate_provider() {
+ grpc_pollset_set_destroy(interested_parties_);
+ }
+
+ grpc_pollset_set* interested_parties() const { return interested_parties_; }
+
+ virtual RefCountedPtr distributor()
+ const = 0;
+
+ private:
+ grpc_pollset_set* interested_parties_;
+};
+
+#endif // GRPC_CORE_LIB_SECURITY_CERTIFICATE_PROVIDER_H
diff --git a/tools/doxygen/Doxyfile.c++.internal b/tools/doxygen/Doxyfile.c++.internal
index 5d601ba7c13..9c3255c7e7d 100644
--- a/tools/doxygen/Doxyfile.c++.internal
+++ b/tools/doxygen/Doxyfile.c++.internal
@@ -1721,6 +1721,7 @@ src/core/lib/security/authorization/mock_cel/cel_value.h \
src/core/lib/security/authorization/mock_cel/evaluator_core.h \
src/core/lib/security/authorization/mock_cel/flat_expr_builder.h \
src/core/lib/security/authorization/mock_cel/statusor.h \
+src/core/lib/security/certificate_provider.h \
src/core/lib/security/context/security_context.cc \
src/core/lib/security/context/security_context.h \
src/core/lib/security/credentials/alts/alts_credentials.cc \
diff --git a/tools/doxygen/Doxyfile.core.internal b/tools/doxygen/Doxyfile.core.internal
index 3b00ee9aba0..c30a42258e0 100644
--- a/tools/doxygen/Doxyfile.core.internal
+++ b/tools/doxygen/Doxyfile.core.internal
@@ -1548,6 +1548,7 @@ src/core/lib/security/authorization/mock_cel/cel_value.h \
src/core/lib/security/authorization/mock_cel/evaluator_core.h \
src/core/lib/security/authorization/mock_cel/flat_expr_builder.h \
src/core/lib/security/authorization/mock_cel/statusor.h \
+src/core/lib/security/certificate_provider.h \
src/core/lib/security/context/security_context.cc \
src/core/lib/security/context/security_context.h \
src/core/lib/security/credentials/alts/alts_credentials.cc \